| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Implementing OAM - Windows and the SYSTEM userid |
« View previous topic :: View next topic » |
| Author |
Message
|
| mehedi |
 Posted: Thu Aug 18, 2005 11:54 am Post subject: Implementing OAM - Windows and the SYSTEM userid |
 |
|
Centurion
Joined: 11 Nov 2001
Posts: 102
Location: PSTech
|
There are process owned by the 'SYSTEM' userid running on a WINDOWS server. These processes need access to queues on the queue manager.
The 'SYSTEM' userid is not managed via the UserManager.
What authorities(in windows world, like Administrator,operator) does it have ?
Can this user access be restricted to particular queues on the QM ?
What will the setmqaut statement look like for this user ?
Thanks
Mehedi |
|
| Back to top |
|
 |
| paulgroo |
| Posted: Fri Sep 02, 2005 7:22 am Post subject: |
|
|
Centurion
Joined: 07 Jul 2005
Posts: 138
Location: Ireland
|
I think you may be getting SYSTEM user from looking at the processes in Task Manager. This SYSTEM user, unfortunately, isn't a user such as 'administrator'. When a process is listed under SYSTEM, it means that the OS has started it.
"What authorities does it have?"
contact admin authority
"Can this user access be restricted to particular queues on the QM ? "
Not really. You can allow them access in the MQM group though...
What will the setmqaut statement look like for this user ?
"I haven't a clue, but try and do it through a GUI (Download WMQTool).
I hope this helps... |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 02, 2005 7:28 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I do not think you will be able to block this user with setmqaut.
I think this user counts as an administrator, and thus will always be authorized.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Sep 02, 2005 11:06 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
The key point here is
| paulgroo wrote: |
"What authorities does it have?"
contact admin authority |
Understand, these are not user programs, but system processes; they really have no buisness working with MQ unless someone turns to them and tells them to - and in such a case, as said, they get contact admin authority, meaning they have the authorities of whomever turned to them. It is not dissimilar from Context in channels.
In the case they do turn to MQ resources (usually though the FS or dll resources) it is only for system operations - memory management, paging etc - and then they have Administrator authorities.
Bottom line - you really shouldn't bother taking these processes into consideration in your MQ OAM config. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 02, 2005 11:23 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Except that anyone who writes a service, or uses something like svrany, or a scheduled task, can configure that to run as LocalSystem.
So I could, for example, write a process to watch a directory and then write contents of "new" files to a queue. And this would be a useful thing. But I could easily tell it to run as LocalSystem, and then I wouldn't need to "bother" my MQAdmin to give me setmqaut. Which ... might not... be useful.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Sep 02, 2005 1:49 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
| jefflowrey wrote: |
| Except that anyone who writes a service, or uses something like svrany, or a scheduled task, can configure that to run as LocalSystem. |
Well, if silly people do silly things, I can't really help it now can I?
If someone writes a service, and another someone actually gives him permission to put that service (or scheduled task, or whatever) on a production machine as LocalSystem, it's their own damn fault. There is no way of securing against idiocy 
If you write a process that watches a dir and writes to q, give it a user that is authorized for that lib and that q, no more. Better yet, use the JTExt adapter, why re-invent? 
Point being, you shouldn't use LocalSystem but specific users with specific permissions for specific tasks. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Sep 02, 2005 2:54 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| hopsala wrote: |
| better yet, use the JTExt adapter, why re-invent? |
Actually, in my opinioin, JText needs to be reinvented. Having to insert a data format identifier into the file, instead of a more flexible system, makes it almost useless in most production environments that I know of.
Plus, if you're actually going to spend money on this kind of thing, it fails in all respects in comparison to something like PM4Data.
And that's leaving aside all of the horrible configuration that has to be done, and done right, in order to get the thing to function in the first place.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| hopsala |
| Posted: Fri Sep 02, 2005 3:18 pm Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
To give an impression of my feelings towrds JText, and adapter infrastructure in general (coupled with ICS), here are a few samples of of earlier posts:
| hopsala wrote: |
| I think it is an unnecessary concept with bad design and worse documentation |
| hopsala wrote: |
(Footnote: I have seen many products in my day, and I must say this is one of the worst ones yet. I do not say this in enmity, but in calm computation. Unless persuaded otherwise, will post an elaboration on my experience with it and what WBIe really is. These are matters the public should know.)
|
| hopsala wrote: |
| I know this product to be especially nervewrecking, so I am always glad to help a fellow ICS casualty ... |
I think the general idea is clear 
Anyway, good to hear of alternatives like this PM4Data you speak of, will open a topic of this matter of Integration alternatives in near future. (after searching for prev posts, of course) |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sat Sep 03, 2005 10:39 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
CommerceQuest's ProcessManager for Data (PM4Data) even has an IBM product number.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
